long jumps not supported

[Lenny Zeltser]

Chas and Carter,

Thank you for your replies -- they were very helpful.

Carter's new versions of gencode.h and argus_util.c seem to take care of 
the problem. I cannot determine if the patch breaks anything under the 
surface because I have not been running Argus for long enough to notice the 
difference in behavior. I've been using the new code today without any 
problems.

Chas' workaround of using multiple "ra" evocations with split-up versions 
of the original filter file works well too, especially for those who do not 
wish to incorporate the patch into their Argus distributions.

-- Lenny

 > -----Original Message-----
 > From: owner-argus at lists.andrew.cmu.edu
 > [mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Lenny Zeltser
 > Sent: Thursday, June 01, 2000 6:49 PM
 > To: argus at lists.andrew.cmu.edu
 > Subject: long jumps not supported
 >
 >
 > Dear folks,
 >
 > I am in the process of setting up my tcpdump-based filter to
 > perform basic
 > intrusion detection functions via "ra". The filter file documents all
 > traffic that is allowed, prefixed by a "not" as the outer-most
 > expression,
 > so that "ra" reports all traffic that should not be present.
 >
 > The filter file is approximately 700 characters long. I have reached a
 > point, however, where as soon as I add a new clause to the filter, "ra"
 > responds with the following error:
 >
 >    ra: expression: long jumps not supported
 >
 > Is my filter file too long for the program to handle? If so, how
 > do people specify complex rules to the program?